{"id":18658,"date":"2026-03-25T20:36:08","date_gmt":"2026-03-25T20:36:08","guid":{"rendered":"https:\/\/cryptoted.net\/index.php\/2026\/03\/25\/security-alert-mist-can-be-vulnerable-when-navigating-to-malicious-dapps\/"},"modified":"2026-03-25T20:36:08","modified_gmt":"2026-03-25T20:36:08","slug":"security-alert-mist-can-be-vulnerable-when-navigating-to-malicious-dapps","status":"publish","type":"post","link":"https:\/\/cryptoted.net\/index.php\/2026\/03\/25\/security-alert-mist-can-be-vulnerable-when-navigating-to-malicious-dapps\/","title":{"rendered":"Security Alert – Mist can be vulnerable when navigating to malicious DApps"},"content":{"rendered":"


\n<\/p>\n

\n

Mist leaks some low level APIs, which Dapps could use to gain access to the computer’s file system and read\/delete files. This would only affect you if you navigate to an untrusted Dapp\u00a0that\u00a0knows about these vulnerabilities and specifically tries to attack users. Upgrading Mist is highly recommended to prevent exposure to attacks.<\/p>\n

Affected configurations<\/strong>: All versions of Mist from 0.8.6 and lower. This vulnerability doesn’t affect the Ethereum Wallet since it can\u2019t load external DApps.
\nLikelihood<\/strong>:\u00a0Medium
\nSeverity<\/strong>: High<\/p>\n

<\/g><\/svg><\/a>Summary<\/h2>\n

Some Mist API methods were exposed, making it possible for\u00a0malicious webpages to gain access to a privileged interface that could delete files on the local filesystem or launch registered protocol handlers and obtain sensitive information, such as the user directory or the user’s “coinbase”.
\nVulnerable exposed mist APIs:<\/p>\n

mist.shell<\/span><\/code><\/pre>\n
mist.dirname<\/span><\/code><\/pre>\n
mist.syncMinimongo<\/span><\/code><\/pre>\n
web3.eth.coinbase<\/span><\/code><\/pre>\n
 is now <\/p>\n
null<\/span><\/code><\/pre>\n
, if the account is not allowed for the dapp<\/p>\n
<\/g><\/svg><\/a>Solution<\/h2>\n
Upgrade to the latest version of the Mist Browser<\/a>. Do not use any previous Mist versions to navigate to any untrusted webpage, or local webpages from unknown origins. The Ethereum Wallet is not affected as it doesn’t allow navigation to external pages.
\nThis is a good reminder that Mist is currently only considered for Ethereum App Development and should not be used for end users to navigate on the open web until it has\u00a0reached at least version 1.0. An external audit of Mist is scheduled for December.<\/p>\n
A big thanks goes to @tintinweb<\/a> for his very useful reproduction app to test the vulnerabilities!<\/p>\n
We are also thinking of adding Mist to the bounty program, if you find\u00a0vulnerabilities or severe bugs please contract us at\u00a0bounty@ethereum.org<\/a><\/p>\n<\/div>\n

\n
Source link <\/a><\/p>\n","protected":false},"excerpt":{"rendered":"
Mist leaks some low level APIs, which Dapps could use to gain access to the computer’s file system and read\/delete files. This would only affect you if you navigate to an untrusted Dapp\u00a0that\u00a0knows about these vulnerabilities and specifically tries to attack users. Upgrading Mist is highly recommended to prevent exposure to attacks. Affected configurations: All […]<\/p>\n","protected":false},"author":6,"featured_media":18498,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"tdm_status":"","tdm_grid_status":"","footnotes":""},"categories":[24],"tags":[],"kronos_expire_date":[],"class_list":["post-18658","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-ethereum"],"_links":{"self":[{"href":"https:\/\/cryptoted.net\/index.php\/wp-json\/wp\/v2\/posts\/18658","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/cryptoted.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cryptoted.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/cryptoted.net\/index.php\/wp-json\/wp\/v2\/users\/6"}],"replies":[{"embeddable":true,"href":"https:\/\/cryptoted.net\/index.php\/wp-json\/wp\/v2\/comments?post=18658"}],"version-history":[{"count":0,"href":"https:\/\/cryptoted.net\/index.php\/wp-json\/wp\/v2\/posts\/18658\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cryptoted.net\/index.php\/wp-json\/wp\/v2\/media\/18498"}],"wp:attachment":[{"href":"https:\/\/cryptoted.net\/index.php\/wp-json\/wp\/v2\/media?parent=18658"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cryptoted.net\/index.php\/wp-json\/wp\/v2\/categories?post=18658"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cryptoted.net\/index.php\/wp-json\/wp\/v2\/tags?post=18658"},{"taxonomy":"kronos_expire_date","embeddable":true,"href":"https:\/\/cryptoted.net\/index.php\/wp-json\/wp\/v2\/kronos_expire_date?post=18658"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}